2022/0084(COD) | [ParlTrack]

Proposal for a regulation
Recital 2

(2) While progress has been made towards more consistent rules for the protection of European Union classified information (‘EUCI’) and non-classified information, the interoperability of the relevant systems remains limited, preventing a seamless transfer of information between the different Union institutions and bodies. ~~Further efforts should therefore be made to enable a~~An interinstitutional approach to the sharing of EUCI and sensitive non-classified information, with common categories of information and common key handling principles~~. A baseline should also be envisaged to simplify~~ is urgently needed. This includes common procedures for sharing EUCI and sensitive non-classified information between Union institutions and bodies and with Member States.

Amendment 32 #

Proposal for a regulation
Recital 4

(4) The recent pandemic caused a significant change in working practices with remote communication tools becoming the rule. Therefore, many procedures that were still at least partly paper-based were rapidly adjusted to enable electronic processing and exchanges of information. These developments require changes in the procurement, handling and protection of information. This Regulation takes account of the new working practices.

Amendment 33 #

Proposal for a regulation
Recital 5

(5) By creating a minimum common level of protection for EUCI and non- classified information, this Regulation contributes to ensuring that the Union institutions and bodies have the support of an efficient and independent administration in carrying out their missions. At the same time, each Union institution and body retains its autonomy in determining how to implement the rules laid down in this Regulation, in line with its own security needs. This Regulation shall in no case prevent Union institutions and bodies to fulfil their mission, as entrusted by the EU legislation, or ~~encroach~~create disproportionate burdens on their institutional autonomy.

Amendment 34 #

Proposal for a regulation
Recital 8

(8) With a view to establishing a formal structure for cooperation between Union institutions and bodies in the field of information security, it is necessary to set up an Interinstitutional Coordination Group (the ‘Coordination Group’) in which all Union institutions’ and bodies’ Security Authorities are represented. ~~Without having decision-making powers, t~~The Coordination Group should adopt recommendations and provisions to enhance the coherence of policies in the field of information security and should contribute to the harmonisation of the information security procedures and tools across the Union institutions and bodies.

Amendment 35 #

Victor NEGRESCU

Proposal for a regulation
Recital 9

(9) The Coordination Group’s work needs the support of experts in different areas of information security: categorisation and marking, communication and information systems, accreditation, physical security and sharing EUCI and exchanging classified information. In order to prevent duplication of effort across the Union institutions and bodies, thematic sub-groups should be therefore established. Moreover, where needed, the Coordination Group should be able to set up other subgroups with specific tasks. The Coordination Group’s work should also regard the training component for the Union institutions' and bodies' personnel, with the scope of enhancing information security awareness and best practices, complementary to the established procedures.

Amendment 36 #

Victor NEGRESCU

Proposal for a regulation
Recital 10

(10) The Coordination Group should closely cooperate with the National Security Authorities of the Member States with a view to enhancing information security in the Union. An Information Security Committee of the Member States should therefore be set up to provide advice to the Coordination Group. Given the constantly evolving threat landscape at Union level, close cooperation with the Committee is required in order to adapt prevention and mitigation methods for information security.

Amendment 37 #

Proposal for a regulation
Recital 14

(14) With the purpose of adjusting to the new teleworking practices, the networks used for connecting to the Union institution’s or body’s remote access services should be protected by ~~adequat~~effective security measures.

Amendment 38 #

Proposal for a regulation
Recital 16

(16) The substantive rules regarding access to EUCI in the internal rules of various Union institutions and bodies are currently aligned, but there are significant differences as regards denominations and required procedures. This creates a burden for the National Security Authorities of the Member States who need to adjust to different requirements. Thus it is necessary to provide for a common glossary and common procedures in the area of personnel security, thereby simplifying cooperation with the National Security Authorities of the Member States and limiting the risk of compromising EUCI, while respecting the Rules of Procedure of each institution and body.

Amendment 39 #

Proposal for a regulation
Recital 25

(25) Furthermore, the sharing of EUCI between the Union institutions and bodies and the exchange of classified information with international organisations and third countries should also be regulated by appropriate security measures for the protection of that information. Where agreements on security of information are envisaged, the provisions of Article 218 ~~of the Treaty~~TFEU should apply.

Amendment 40 #

Proposal for a regulation
Article 4 – paragraph 2

Amendment 41 #

Proposal for a regulation
Article 6 – paragraph 1 – subparagraph 2

It shall be composed of all Security Authorities of the Union institutions and bodies, and shall have a mandate to define ~~their~~ common ~~policy~~measures in the field of information security.

Amendment 42 #

Proposal for a regulation
Article 6 – paragraph 2 – point c

(c) establish recommendations and guidance documents on the implementation of this Regulation, in cooperation with the Interinstitutional Cybersecurity Board referred to in Article 9 of the Regulation EU [...] laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union, where appropriate;

Amendment 43 #

Victor NEGRESCU

Proposal for a regulation
Article 6 – paragraph 2 – point d

(d) set up dedicated platforms for sharing best practices, training and knowledge on common topics relevant to information security as well as for providing assistance in case of information security incidents;

Amendment 44 #

Proposal for a regulation
Article 6 – paragraph 2 – point e a (new)

(e a) ensure compliance of the Union bodies, institutions, offices and agencies with the provisions set out within the Regulation

Amendment 45 #

Proposal for a regulation
Article 6 – paragraph 2 – point e a (new)

(e a) Shall carry out risk assessments, in particular with regards to foreign interference in EUCI.

Amendment 46 #

Proposal for a regulation
Article 6 – paragraph 6 a (new)

6 a. The appointed members of the Coordination Group shall be adequately gender and geographically balanced.

Amendment 47 #

Proposal for a regulation
Article 6 – paragraph 7

7. Union institutions and bodies shall bring to the attention of the Coordination Group any significant information security policy development within their organisation, within a reasonable timeframe.

Amendment 48 #

Proposal for a regulation
Article 8 – paragraph 4

4. TUnder exceptional circumstances, the responsibilities of one or more of the functions referred to in paragraph 3 may be delegated to another Union institution or body whenever decentralised delivery of security offers significant efficiency, resource or time savings.

Amendment 49 #

Proposal for a regulation
Article 12 – paragraph 2

2. Union institutions and bodies ~~may~~shall mark with ‘PUBLIC USE’ the information referred to in paragraph 1.

Amendment 50 #

Proposal for a regulation
Article 15 – paragraph 1

1. Union institutions and bodies shall establish streamlined procedures for the reporting and management of any incident or suspected incident that could lead to a compromise of the security of non- classified information.

Amendment 51 #

Proposal for a regulation
Article 17 – paragraph 1 – introductory part

1. Union institutions and bodies ~~shall~~must ensure that CISs meet the following minimum requirements when handling and storing sensitive non-classified information:

Amendment 52 #

Gwendoline DELBOS-CORFIELD

Proposal for a regulation
Article 17 – paragraph 1 – point c

Amendment 53 #

Proposal for a regulation
Article 18 – paragraph 2 a (new)

2 a. In the event of any doubt as to the confidential nature of an item of information or its appropriate level of classification, the two institutions shall consult each other without delay and before transmission of the document. In these consultations, Parliament shall be represented by the chair of the parliamentary body concerned, accom-panied, where necessary, by the rapporteur, or the office-holder who submitted the request. The Commission shall be represented by the Member of the Commission with responsibility for that area, after consultation of the Member of the Commission responsible for security matters. In the event of a disagreement, the matter shall be referred to the Presidents of the two institutions so that they may resolve the dispute.

Amendment 54 #

Gwendoline DELBOS-CORFIELD

Proposal for a regulation
Article 20 – paragraph 1

1. The holder of any item of EUCI shall be legally responsible for its protection. This shall include responsibility under the Treaties, relevant criminal law and staff regulations.

Amendment 55 #

Proposal for a regulation
Article 20 – paragraph 3 a (new)

3 a. This Article is without prejudice to Regulation No 1049/2001 regarding public access to European Parliament, Council and Commission documents.

Amendment 56 #

Proposal for a regulation
Article 21 – paragraph 1

1. The security Authority of each Union institution and body shall approve the security measures for protecting EUCI throughout its life-cycle in accordance with the outcome of a risk assessment performed by the respective Union institution or body. The risk assessment shall have a common criteria to ensure all Union institutions and bodies have aligned security measures, while also considering the particularities relevant to each institution or body.

Amendment 57 #

Proposal for a regulation
Article 22 – paragraph 3 – point a

(a) inform the originator as soon as the compromise has been identified;

Amendment 58 #

Proposal for a regulation
Article 22 – paragraph 3 – point e

(e) notify the competent authorities about the actual or potential compromise and the action taken, without any undue delay.

Amendment 59 #

Proposal for a regulation
Article 23 – paragraph 1 – introductory part

1. The Security Authority of a Union institution or body ~~may~~shall grant individuals access to EUCI where all the following conditions are met:

Amendment 60 #

Proposal for a regulation
Article 39 – paragraph 1

1. Union institutions and bodies shall decide ~~whether and~~upon a recommendation by the Coordination Group when to archive EUCI, and the corresponding practical measures~~, in accordance with their policy on document management~~.

Amendment 61 #

Proposal for a regulation
Article 39 – paragraph 2

2. EUCI documents shall ~~not~~ be transferred to the Historical Archives of the European Union after 30 years. The Historical Archives of the European Union shall take effective measures to protect EUCI from unauthorised access prior to declassification.

Amendment 62 #

Proposal for a regulation
Article 51 – paragraph 3 – subparagraph 2 a (new)

Such agreements and arrangements shall be subject to an ongoing review and assessment procedure, factoring in developments in the security measures, as well as Union's relationship with these third countries, subject to the provisions laid out in Article 53.

Amendment 63 #

Proposal for a regulation
Article 52 – paragraph 2

2. The sub-group on EUCI sharing and exchange of classified information shall be composed of representatives from the Commission, the Council and the European External Action Service, ensuring gender and geographical balance, and shall work by consensus.

Amendment 64 #

Proposal for a regulation
Article 53 – paragraph 1

1. The sub-group on EUCI sharing and exchange of classified information shall carry out regular assessment visits in full cooperation with the officials of the Union institution or body being visited. It may seek assistance from the NSA on whose territory the Union institution or body is located.

source: 731.766

2022/12/05 ITRE 50 amendments...

Amendment 20 #

Proposal for a regulation
Recital 1

(1) Union institutions ~~and bod~~, bodies, offices and agencies currently have their own information security rules, based on their rules of procedure or their founding act, or do not have such rules at all. In that context, each Union institution and body invests significant efforts in adopting different approaches, leading to a situation where exchange of information is not always reliable. The lack of a common approach hinders the deployment of common tools building on an agreed set of rules depending on the security needs of the information to be protected.

Amendment 21 #

Proposal for a regulation
Recital 2

(2) While progress has been made towards more consistent rules for the protection of European Union classified information (‘EUCI’) and non-classified information, the interoperability of the relevant systems remains limited, preventing a seamless transfer of information between the different Union institutions and bodies. Further efforts should therefore be made to enable an interinstitutional approach to the sharing of EUCI and sensitive non-classified information, with common categories of information ~~and~~, common key handling principles, and where appropriate, common information system infrastructure on which information is handled, stored and transmitted by Union institutions, bodies, offices and agencies. A baseline should also be envisaged to simplify procedures for sharing EUCI and sensitive non-classified information between Union institutions and bodies and with Member States.

Amendment 22 #

Proposal for a regulation
Recital 2

(2) While progress has been made towards more consistent rules for the protection of European Union classified information (‘EUCI’) and sensitive non- classified information (‘non-EUCI’), the interoperability of the relevant systems remains limited, preventing a seamless transfer of information between the different Union institutions and bodies. Further efforts should therefore be made to enable an interinstitutional ~~approach to~~framework for the sharing of EUCI and sensitive non- classified information, ~~with common categories of informa~~composed of this regulation and of the [regulation on non- EUCI] with common definitions and common key handling principles. A baseline should also be envisaged to simplify procedures for sharing EUCI and sensitive non-~~classified information~~EUCI between Union institutions and bodies and with Member States.

Amendment 23 #

Proposal for a regulation
Recital 3 a (new)

(3 a) When developing information security rules, Union institutions and bodies should ensure efficiency and choose the best solutions, in particular as regards return on investments, appropriate levels of flexibility, decrease of administrative burdens, minimisation of risks, and higher levels of transparency, and improvement of the work environment;

Amendment 24 #

Proposal for a regulation
Recital 3 b (new)

(3 b) In the context of information security, Union institutions and bodies should increase organisational interoperability and act together to ensure the protection of networks and information systems, data and the assets employed to capture, store, process and transmit it, and information as well as information infrastructure.

Amendment 25 #

Proposal for a regulation
Recital 5 a (new)

(5 a) While ensuring a high level of protection for information, this Regulation is also providing a clear framework to enhance transparency, minimising and limiting in time the use of confidential documents, providing safeguards against use of classification that would prevent Union institutions and bodies to fulfil their mission and ensuring that the whistleblowers are adequately protected.

Amendment 26 #

Proposal for a regulation
Recital 5 a (new)

(5 a) This Regulation should ensure that any limitation of the right to the protection of personal data and privacy is necessary and proportionate, in accordance with Article 52 (1) of the EU Charter of Fundamental Rights.

Amendment 27 #

Proposal for a regulation
Recital 5 b (new)

(5 b) All information security measures involving processing of personal data should be compliant with the relevant Union data protection and privacy legislation. Union institutions and bodies should take relevant technical and organisational safeguards to ensure compliance in an accountable and transparent manner.

Amendment 28 #

Proposal for a regulation
Recital 6

(6) This Regulation is without prejudice to Regulation (Euratom) No 3/195817 , Regulation No 31 (EEC), 11 (EAEC), laying down the Staff Regulations of Officials and the Conditions of Employment of other servants of the European Economic Community and the European Atomic Energy Community18 , Regulation (EC) 1049/2001 of the European Parliament and of the Council19 , Regulation (EU) 2018/1725 of the European Parliament and of the Council20 , including the rules on international transfers, Council Regulation (EEC, EURATOM) No 354/8321 , Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council22 , Regulation (EU) 2021/697 of the European Parliament and of the Council23 , Regulation (EU) [...] of the European Parliament and of the Council24 laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union. _________________ 17 Regulation (Euratom) No 3/1958 implementing Article 24 of the Treaty establishing the European Atomic Energy Community (OJ 17, 6.10.1958, p. 406). 18 OJ 45, 14.6.1962, p. 1385. 19 Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43). 20 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39). 21 Council Regulation (EEC, EURATOM) No 354/83 of 1 February 1983 concerning the opening to the public of the historical archives of the European Economic Community and the European Atomic Energy Community (OJ L 43, 15.2.1983, p. 1). 22 Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (OJ L 193, 30.7.2018, p. 1). 23 Regulation (EU) 2021/697 of the European Parliament and of the Council of 29 April 2021 establishing the European Defence Fund and repealing Regulation (EU) 2018/1092 (OJ L 170, 12.5.2021, p. 149). 24 Regulation […] of the European Parliament and of the Council laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union, to be adopted

Amendment 29 #

Proposal for a regulation
Recital 12

(12) The principle of information security risk management should be at the core of the policy to be developed in the field by each Union institution and body. While the minimum requirements laid down in this Regulation must be met, each Union institution and body should adopt specific security measures for protecting information in accordance with the results of an internal risk assessment. In the same way, the technical means to protect the information should be adapted to the specific situation of each institution and body. However, the specific security measures should not constitute an impediment for the activity of other institutions and legal access to information, as for example unduly limiting the acces of the Members of European Parliament to the information produced or held by the European Commission.

Amendment 30 #

(14) With the purpose of adjusting to the new teleworking practices, the networks, information systems, digital infrastructure and terminal devices used for connecting to the Union institution’s or body’s remote access services should be protected by adequate security measures.

Amendment 31 #

Proposal for a regulation
Recital 15

(15) Since Union institutions and bodies frequently make use of contractors and outsourcing, it is important to establish common provisions relating to contractors’ personnel carrying out tasks related to information security. Union institutions, bodies, offices and agencies should establish formal procedures underpinning the tendering process for contractors and outsourcing partners, taking into account the specificities of their operational technology environments and the complexities of their supply chains.

Amendment 32 #

Proposal for a regulation
Recital 17 a (new)

(17 a) All Union institutions, bodies, offices and agencies should integrate procedures for dealing with personal data breaches in their procedures for information security incident management. Union institutions, bodies, offices and agencies should adopt a personal data breach handling procedure which also includes notification to the European Data Protection Supervisor (EDPS) and communication to the people affected, where necessary. The procedure for dealing with personal data breaches does not replace or supersede any other incident handling process or procedure.

Amendment 33 #

Proposal for a regulation
Recital 21

(21) Union institutions and bodies have been traditionally developed their communication and information systems autonomously, with insufficient attention to their interoperability across all Union institutions and bodies. It is therefore necessary to establish minimum security requirements concerning the Communication and Information Systems (CISs) handling ~~and stor~~, storing and transmitting both EUCI and non-classified information with the aim to guarantee a seamless exchange of information with the relevant stakeholders.

Amendment 34 #

Proposal for a regulation
Recital 24

(24) The close cooperation between Union institutions and bodies as well as the multitude of synergies developed among them involve the sharing of a large amount of information. For the sake of the classified information security, the trustworthiness of a Union institution or body should be assessed before they handle and store a specified level of EUCI. Such synergies and cooperation is relevant, when dealing with activities such as applying data protection by design and by default to information security measures, selecting security measures that involve personal data, integrated risk management, and integrated security incident handling.

Amendment 35 #

Proposal for a regulation
Recital 24

Amendment 36 #

Proposal for a regulation
Article 1 – paragraph 1

1. This Regulation lays down information security rules for all Union institutions ~~and bod~~, bodies, offices and agencies.

Amendment 37 #

Proposal for a regulation
Article 2 – paragraph 2 – point a

~~(a) three levels of non-classified information: public use, normal and sensitive non-classifi~~deleted;

Amendment 38 #

Proposal for a regulation
Article 3 – paragraph 1 – point i a (new)

(i a) ‘ICT environment’ means any on- premise or virtual asset, ICT product, ICT service and ICT process and any network and information system whether owned and operated by a Union institution, body, office or agency, or hosted or operated by a third party, including mobile devices, corporate networks, and business networks not connected to the internet and any devices connected to the ICT environment;

Amendment 39 #

Ivars IJABS, Christophe GRUDLER

Proposal for a regulation
Article 3 – paragraph 1 – point i b (new)

(i b) ‘classified ICT environment’ means any component of a Union institution, body, office or agency's ICT environment that is used for the processing, storing or transmission of EU classified information (EUCI);

Amendment 40 #

Proposal for a regulation
Article 3 – paragraph 1 – point s

(s) ‘zero trust’ means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement of the existence of threats inside and outside traditional network boundaries; and 'never trust, always verify' concept.

Amendment 41 #

Proposal for a regulation
Article 3 – paragraph 1 – point ae a (new)

(ae a) ‘standard’ means a standard as defined in point (1) of Article 2 of Regulation (EU) No 1025/2012;

Amendment 42 #

Proposal for a regulation
Article 4 – paragraph 6 – subparagraph 2

Union institutions ~~and bod~~, bodies, offices and agencies handling and storing EUCI shall organise mandatory training at least once every 53 years for all individuals authorised to access EUCI. The Union institutions and bodies concerned shall organise specific training for the specific functions entrusted with information security tasks. Union institutions, bodies, offices and agencies shall design and implement effective and appropriate trainings commensurate to the risks identified in accordance with Article 5 of this Regulation for all individuals authorised to access EUCI no later than 6 months after the entry into force of this Regulation.

Amendment 43 #

Proposal for a regulation
Article 5 – paragraph 2 – point e a (new)

(e a) integrity, availability and resilience of processing systems and services.

Amendment 44 #

Proposal for a regulation
Article 5 – paragraph 2 a (new)

2 a. Each Union institution, body, office and agency shall ensure compliance with Regulation (EU) 2018/1725. Personal data processing activities allowed for the purposes of this Regulation shall include: a) the purposes of data processing; b) categories of personal data; c) categories of data subjects; d) definition of roles as applicable (controller, processor, joint controllers); e) retention periods; f) recipients, in case of transmission to entities not subject to the Regulation (EU) 2018/1725.

Amendment 45 #

Proposal for a regulation
Article 5 – paragraph 3 – point -a (new)

(-a) the risks for the rights and freedom of natural persons;

Amendment 46 #

Proposal for a regulation
Article 5 – paragraph 3 – point c a (new)

(c a) the threats deriving from access based on third country jurisdictions;

Amendment 47 #

Proposal for a regulation
Article 5 – paragraph 3 – point f

(f) business continuity ~~and disaster recovery~~, such as back up management and disaster recovery, and crisis management;

Amendment 48 #

Proposal for a regulation
Article 6 – paragraph 1 – subparagraph 2

It shall be composed of all Security Authorities of the Union institutions and bodies and the chairperson of the Information Security Committee referred to in paragraph 8 of this Article, and shall have a mandate to define their common policy in the field of information security.

Amendment 49 #

Proposal for a regulation
Article 6 – paragraph 8

8. In the performance of the tasks referred to in paragraph 2, point (e), the Coordination Group shall be assisted by an Information Security Committee. That Committee shall be composed of one representative from each National Security Authority and shall ~~be chaired by~~have the administrative support of the Secretariat of the Coordination Group, referred to in paragraph 5. ~~The Information Security Committee shall have an advisory role.~~

Amendment 50 #

Proposal for a regulation
Article 8 – paragraph 2 a (new)

2 a. The Security Authority shall cooperate closely with the Data Protection Officer designated in accordance with Article 43 of Regulation (EU) 2018/1725.

Amendment 51 #

Ivars IJABS, Christophe GRUDLER

Proposal for a regulation
Article 9 – paragraph 2

2. Any CIS that handles and stores EUCI shall be accredited in accordance with Chapter 5, Section 5. ~~Any CIS that handles and stores sensitive non-classified information shall comply with the minimum requirements for sensitive non- classified information in CISs set out in Chapter 4.~~

Amendment 52 #

Proposal for a regulation
Article 10 – paragraph 1 – point c a (new)

(c a) strengthening cooperation and coordination with Cybersecurity Centre for the Union institutions and bodies (CERT-EU)

Amendment 53 #

Ivars IJABS, Christophe GRUDLER

Proposal for a regulation
Article 11 – paragraph 4 – point d a (new)

(d a) end-to-end encryption, in particular when exchanging sensitive non-classified information;

Amendment 54 #

Proposal for a regulation
Article 11 – paragraph 5 – point d

(d) information security incidents shall be formally recorded and ~~followed up~~handled, in accordance with Regulation EU [XXX] laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union.

Amendment 55 #

Proposal for a regulation
Article 12

1. Information intended for public use or official publication or already disclosed, which can be shared without restrictions inside or outside the Union institutions and bodies, shall be categorised and handled and stored as information for public use. 2. Union institutions and bodies may mark with ‘PUBLIC USE’ the information referred to in paragraph 1. 3. All Union institutions and bodies shall ensure the integrity and availability of information for public use by appropriate measures based on its security needs.Article 12 deleted Information for public use

Amendment 56 #

Proposal for a regulation
Article 13

1. Information intended for use by a Union institution or body in the execution of its functions which is neither sensitive non-classified nor for public use shall be categorised, handled and stored as normal information. This category covers all normal working level information processed in the Union institution or body concerned. 2. Normal information may be marked visually or in metadata where necessary to ensure its protection, particularly where shared outside Union institutions and bodies. The marking ‘EU NORMAL’ or the ‘name or acronym of the Union institution or body NORMAL’ (adjusted on a case-by-case basis) shall be used in that case. 3. Union institutions and bodies shall define standard protective measures for normal information taking into account guidance from the sub-group on non- classified information and any specific risks related to their tasks and activities. 4. Normal information shall be exchanged outside Union institutions and bodies only with natural or legal persons having a need-to-know.Article 13 deleted Normal information

Amendment 57 #

Proposal for a regulation
Article 14

1. Union institutions and bodies shall categorise, handle and stored as sensitive non-classified all information that is not classified but which they must protect due to legal obligations or because of the harm that may be caused to the legitimate private and public interests, including those of the Union institutions and bodies, Member States or individuals by its unauthorised disclosure. 2. Each Union institution and body shall identify sensitive non-classified information by a visible security marking and shall define corresponding handling instructions in accordance with Annex I. 3. Union institutions and bodies shall protect sensitive non-classified information by applying appropriate measures in respect of its handling and storage. Such information may only be made available inside Union institutions and bodies to individuals with a need-to- know for the fulfilment of their assigned tasks. 4. Sensitive non-classified information shall be exchanged outside Union institutions and bodies only with natural and legal persons that have a need-to- know while respecting the handling instructions accompanying the information. All parties involved shall be made aware of the appropriate handling instructions.Article 14 deleted Sensitive non-classified information

Amendment 58 #

Proposal for a regulation
Article 15

Protection of non-classified information 1. Union institutions and bodies shall establish procedures for the reporting and management of any incident or suspected incident that could lead to a compromise of the security of non-classified information. 2. Where required, Union institutions and bodies shall use the markings provided for in Articles 12, 13 and 14. Exceptionally, other equivalent markings may be used internally and in relation with their particular counterparts from other Union institutions and bodies or from the Member States, when all parties agree. Such exception shall be notified to the sub-group on non-classified information, as referred to in Article 7(1), point (b). 3. Contractual safeguards shall be established to ensure the protection of normal and sensitive non-classified information processed by outsourced services. The safeguards shall be designed to guarantee at least an equivalent level of protection to that provided by this Regulation, and shall include confidentiality and non-disclosure undertakings to be signed by all relevant service providers involved in the provision of the outsourced systems.5 deleted and interoperability

Amendment 59 #

Proposal for a regulation
Article 16

Sub-group on non-classified information 1. The sub-group on non-classified information referred to in Article 7(1), point (b), shall have the following roles and responsibilities: (a) streamlining the procedures relating to handling and storing the non-classified information and preparing the relevant guidance; (b) coordinating with the sub-group on information assurance referred to in Article 7(1), point (a), on matters related to systems handling and storing non- classified information; (c) preparing handling instructions for the different confidentiality levels of non- classified information; (d) assisting Union institutions and bodies in establishing the equivalence between their particular categories of non- classified information and those provided for in Articles 12, 13 and 14; (e) facilitating the sharing of non- classified information between Union institutions and bodies, by providing assistance and guidance.Article 16 deleted

Amendment 60 #

Proposal for a regulation
Article 17

Handling and storing of sensitive non- classified information in CISs 1. Union institutions and bodies shall ensure that CISs meet the following minimum requirements when handling and storing sensitive non-classified information: (a) strong authentication shall be implemented to access SNC information and SNC information shall be encrypted in transmission and in storage; (b) encryption keys used for storage shall be under the responsibility of the Union institution or body responsible for the operation of the CIS; (c) SNC information shall be stored and processed in the Union; (d) contractual provisions covering security of staff, assets and information shall be included in any outsourcing contracts; (e) interoperable metadata shall be used to record the confidentiality level of electronic documents and to facilitate the automation of security measures; (f) measures to prevent and detect data leaks shall be implemented by the Union institutions and bodies to protect sensitive non-classified information; (g) security equipment bearing a European cybersecurity certificate shall be used, where available; (h) implementation of security measures based on the principles of need-to-know and zero trust to minimise access to sensitive non-classified information by service providers and contractors. 2. Any derogation from the minimum requirements set out in paragraph 1 shall be subject to approval by the appropriate level of management of the Union institution or body concerned, on the basis of a risk assessment covering the legal and technical risks to the security of the sensitive non-classified information. 3. The Information Assurance Authority of the Union institution or body concerned may check compliance with the principles set out in paragraph 1 at any time during the lifecycle of a CIS.Article 17 deleted

Amendment 61 #

Proposal for a regulation
Article 18 – paragraph 2

2. The Coordination Group shall adopt guidance documents on EUCI creation and classification, implementing the principle of minimisation of the use of classification and limiting in time the duration of such classification; The guidance must contain rules on assessment and justification for classifying information and material, aimed at increasing transparency and avoiding unjustified lock-in effects.

Amendment 62 #

Proposal for a regulation
Article 18 – paragraph 2 a (new)

2 a. In the case of the European Commission and the European Parliament, in the event of any doubt as to the confidential nature of an item of information or its appropriate level of classification, the two institutions shall consult each other without delay and before transmission of the document. In these consultations, Parliament shall be represented by the chair of the parliamentary body concerned, accompanied, where necessary, by the rapporteur, or the office-holder who submitted the request. The Commission shall be represented by the Member of the Commission with responsibility for that area, after consultation of the Member of the Commission responsible for security matters. In the event of a disagreement, the matter shall be referred to the Presidents of the two institutions so that they may resolve the dispute.

Amendment 63 #

Proposal for a regulation
Article 20 – paragraph 3 a (new)

3 a. This Article is without prejudice to Regulation No 1049/2001 regarding public access to European Parliament, Council and Commission documents.

Amendment 64 #

Proposal for a regulation
Article 22 – paragraph 3 a (new)

3 a. The persons who report, within the organisation concerned or to an outside authority, or disclose to the public EUCI on a wrongdoing, obtained in a work- related context, help preventing damage and detecting threat or harm to the public interest that may otherwise remain hidden, is exempted from administrative and criminal liability.

Amendment 65 #

Proposal for a regulation
Article 36 – paragraph 1

1. Where Union institutions and bodies decide to declassify an EUCI document, consideration shall be given as to whether it is to bear a sensitive non- classified information distribution marking in accordance with [regulation on protection of non-EUCI].

Amendment 66 #

Proposal for a regulation
Article 41 – paragraph 1 – point f a (new)

(f a) the system owner or Information Assurance Operational Authority shall ensure that a process of identifying and reporting vulnerabilities is in place, including internal and external rewards as appropriate. This should be complemented by regular audits and penetration tests where appropriate.

Amendment 67 #

Proposal for a regulation
Article 52 – paragraph 2

2. The sub-group on EUCI sharing and exchange of classified information shall be composed of representatives from the Commission, the European Parliament, the Council and the European External Action Service and shall work by consensus. The sub-group shall ensure synergy with the Access to Documents Regulation and make sure that classification doesn't in itself prevent disclosure.

Amendment 68 #

Proposal for a regulation
Article 52 – paragraph 2

Amendment 69 #

Proposal for a regulation
Article 54 – paragraph 1 a (new)

1 a. The conditions in paragraph 1 letter a) are considered to be fulfilled when acces to EUCI is needed in order to fulfil the institution mandate or mission, as entrusted by the EU legislation, or would otherwise encroach on heir institutional autonomy.

source: 739.608

2023/09/07 LIBE 148 amendments...

Amendment 100 #

Proposal for a regulation
Article 12 – paragraph 2

2. Union institutions and bodies may mark with ‘PUBLIC USE’ the information referred to in paragraph 1. The absence of such marking shall not give rise to a presumption that the information could be classified.

Amendment 101 #

Proposal for a regulation
Article 12 – paragraph 2

2. Union institutions and bodies ~~may~~shall mark with ‘PUBLIC USE’ the information referred to in paragraph 1.

Amendment 102 #

Proposal for a regulation
Article 12 – paragraph 3

3. All Union institutions and bodies shall ensure the integrity and availability of information for public use by appropriate measures based on ~~its~~their security needs and accounting for the right to information.

Amendment 103 #

Proposal for a regulation
Article 13 – paragraph 2

2. Normal information may be marked visually or in metadata where necessary to ensure its protection, particularly where shared outside Union institutions and bodies. The marking ‘EU NORMAL’ or the ‘name or acronym of the Union institution or body NORMAL’ (adjusted on a case-by-case basis) shall be used in that case. The absence of such marking shall not give rise to a presumption that the information could be classified.

Amendment 104 #

Proposal for a regulation
Article 13 – paragraph 4

~~4. Normal information shall be exchanged outside Union institutions and bodies only with natural or legal persons having a need-to-know.~~deleted

Amendment 105 #

Proposal for a regulation
Article 13 – paragraph 4

~~4. Normal information shall be exchanged outside Union institutions and bodies only with natural or legal persons having a need-to-know.~~deleted

Amendment 106 #

Proposal for a regulation
Article 14 – paragraph 1

Amendment 107 #

Proposal for a regulation
Article 14 – paragraph 4

4. Sensitive non-classified information shall be exchanged outside Union institutions and bodies only with natural and legal persons that have a need- to-know while respecting the handling instructions accompanying the information and the requirements stemming from legal protections that might apply as per paragraph 1 . All parties involved shall be made aware of the appropriate handling instructions.

Amendment 108 #

Proposal for a regulation
Article 15 – paragraph 1

1. Union institutions and bodies shall establish uniform procedures for the reporting and management of any incident or suspected incident that could lead to a compromise of the security of non- classified information.

Amendment 109 #

Proposal for a regulation
Article 15 – paragraph 2

2. Where required, Union institutions and bodies shall use the markings provided for in Articles 12, 13 and 14. Exceptionally, other equivalent markings may be used internally and in relation with their particular counterparts from other Union institutions and bodies or from the Member States, when all parties agree. Such exception shall be notified to the sub-group on non-classified information, as referred to in Article 7(1), point (b).

Amendment 110 #

Proposal for a regulation
Article 16 – paragraph 1 – point e a (new)

(ea) monitoring compliance by Union institutions and bodies with the relevant provisions of this Regulation as well as with the guidance documents adopted by the Coordination Group.

Amendment 111 #

Proposal for a regulation
Article 18 – paragraph 1 – point d

~~(d) RESTREINT UE/EU RESTRICTED: information and material the unauthorised disclosure of which could be disadvantageous to the interests of the Union or of one or more of the Member States.~~deleted

Amendment 112 #

Proposal for a regulation
Article 18 – paragraph 2

2. The Coordination Group shall adopt guidance documents on EUCI creation and classification. Such documents shall take into account both the principle of minimisation of the use of classified information and the risk of overclassification of certain documents, and shall include rules on assessing and justifying information and material classification, aimed at increasing transparency and avoiding unjustified lock-in effects.

Amendment 113 #

2a. In the event of any doubt as to the confidential nature of an item of information or its level of classification or in the event of a disagreement in between the European institutions, they shall consult each other without any delay and before transmission of this item of information. In these consultations, institutions shall be represented by the chair of the body concerned or the responsible for security matters. In the event of a disagreement, the matter shall be referred to the Presidents of the institutions so that they may resolve the dispute.

Amendment 114 #

Proposal for a regulation
Article 20 – paragraph 3 a (new)

3a. This Article is without prejudice to Regulation (EC) No 1049/2001.

Amendment 115 #

Proposal for a regulation
Article 22 – paragraph 1

1. Any act or omission of a Union institution or body or an individual, which is in breach of this Regulation, shall be considered as a breach of security.

Amendment 116 #

Proposal for a regulation
Article 22 – paragraph 3 – point a

(a) inform the originator without undue delay, and in any event no later than three days after the Security Authority has been informed of the breach;

Amendment 117 #

Proposal for a regulation
Article 22 – paragraph 3 – point b

(b) ensure that the case is throughly investigated by personnel not immediately concerned with the breach in order to establish the facts;

Amendment 118 #

Proposal for a regulation
Article 22 – paragraph 3 – point e

(e) notify the competent authorities about the actual or potential compromise and the action taken without undue delay, and in any event no later than three days after the Security Authority has been informed of the breach.

Amendment 119 #

Proposal for a regulation
Article 23 – paragraph 2

2. Union institutions and bodies shall take into account the loyalty, trustworthiness and reliability of an individual as determined by means of a security investigation conducted by the Commission in cooperation with the competent authorities of the relevant Member State ~~of which the applicant is a citizen or a national~~s. The Commission may also cooperate with third countries and international organisations with which the Union has a security of information agreement.

Amendment 120 #

Proposal for a regulation
Article 23 – paragraph 3

~~3. Union institutions and bodies may accept security clearances from third countries and international organisations with which the Union has a security of information agreement.~~deleted

Amendment 121 #

Proposal for a regulation
Article 23 – paragraph 3

3. Union institutions and bodies may accept security clearances from third countries and international organisations with which the Union has a security of information agreement. They shall, in any event, ensure that the principles under paragraphs 1 and 2 are observed.

Amendment 122 #

Proposal for a regulation
Article 23 – paragraph 4 – subparagraph 2

Where a SLA is concluded, the Commission Security Authority shall be the contact point between the security offices of the Union institution and body concerned and the national competent authorities of the Member States in the context of security clearance issues.deleted

Amendment 123 #

Proposal for a regulation
Article 24 – paragraph 4

4. In exceptional circumstances, 4. where duly justified in the interests of the service and pending completion of a full security investigation, the Security Authority of a Union institution or body may grant a temporary authorisation for individuals to access EUCI for a specific position, without prejudice to the provisions regarding renewal of authorisation to access EUCI ~~and upon verification of the relevant National Security Authority~~.

Amendment 124 #

Proposal for a regulation
Article 25 – paragraph 3

3. Where the holder of an authorisation to access EUCI takes up employment in another Union institution or body, that Union institution or body shall notify the relevant NSA of a change of employer, through the competent Security Authority.deleted

Amendment 125 #

Proposal for a regulation
Article 25 – paragraph 3

3. Where the holder of an authorisation to access EUCI takes up employment in another Union institution or body, that Union institution or body shall, without undue delay, notify the relevant NSA of a change of employer, through the competent Security Authority.

Amendment 126 #

Proposal for a regulation
Article 28 – paragraph 1 – point d a (new)

(da) monitoring compliance by Union institutions and bodies with the relevant provisions of this Regulation as well as with the guidance documents adopted by the Coordination Group.

Amendment 127 #

Proposal for a regulation
Article 30 – paragraph 2

2. Any Union institution and body which is the originator of EUCI shall determine the initial security classification of that information upon its creation and in accordance with Article 18(1).

Amendment 128 #

Proposal for a regulation
Article 31 – paragraph 1 – point a

(a) each page shall be marked clearly with the classification level and the duration of classification ;

Amendment 129 #

Proposal for a regulation
Article 32 – title

Originator con~~trol~~sent

Amendment 130 #

Proposal for a regulation
Article 32 – paragraph 1 – introductory part

1. The Union institution or body under whose authority an EUCI document is created shall have originator control over that document. The originator shall determine the classification level of the document and shall be responsible for its initial dissemination. The originator may consult intended recipients regarding the classification level of an EUCI document, in particular in the event of any doubt as to the confidential nature of an item of information and its appropriate level of classification, and to prevent over- classification of such documents. For the purposes of the initial dissemination of an EUCI document, the originator shall take into account the rights and obligations of information recipients arising from the Treaties. Without prejudice to Regulation 1049/2001, the originator’s prior written consent shall be obtained before the information is:

Amendment 131 #

Proposal for a regulation
Article 32 – paragraph 1 – introductory part

1. The Union institution or body under whose authority an EUCI document classified CONFIDENTIEL UE/EU- CONFIDENTIAL or higher is created shall have originator con~~trol~~sent right over that document. The originator shall determine the initial classification level of the document and shall be responsible for its initial dissemination. ~~Without prejudice to Regulation 1049/2001, the originator’s prior written consent shall be obtained~~The originator’s prior written consent shall be obtained if necessary in order to protect essential interests of the European Union or of one or more of its Member States in the area of public security, defence and military matters, international relations or the financial, monetary or economic policy, before the information is:

Amendment 132 #

Proposal for a regulation
Article 32 – paragraph 1 – point d

~~(d) copied and translated in case of TRES SECRET-UE/EU-TOP SECRET level.~~deleted

Amendment 133 #

Proposal for a regulation
Article 32 – paragraph 2

2. Where the originator of an EUCI document cannot be identified, the Union institution or body holding that classified information shall exercise originator con~~trol~~sent.

Amendment 134 #

Proposal for a regulation
Article 35 – paragraph 1

1. Information shall be classified only for as long as it requires protection. EUCI that no longer needs the original classification shall be downgraded to a lower level. EUCI that no longer needs to be considered as classified at all shall be declassified. Any classification shall be reviewed at the latest one year after the document’s creation and every year afterwards. In case of documents that concern an ongoing legislative process, this review shall be done no later than two months after the document’s creation and every two months afterwards.

Amendment 135 #

Proposal for a regulation
Article 35 – paragraph 2

2. At the time of creation of EUCI, the originator shall indicate~~, where possible, and in particular for information classified RESTREINT UE/EU RESTRICTED,~~ whether the EUCI can be downgraded or declassified on a given date or following a specific event.

Amendment 136 #

Proposal for a regulation
Article 35 – paragraph 2

2. At the time of creation of EUCI, the originator shall indicate, where possible, ~~and in particular for information classified RESTREINT UE/EU RESTRICTED,~~ whether the EUCI can be downgraded or declassified on a given date or following a specific event.

Amendment 137 #

Proposal for a regulation
Article 35 – paragraph 3

3. ~~The originating~~Each Union institution or body shall be responsible for deciding whether a EUCI document can be downgraded or declassified. ~~It shall review the information and assess the risks regularly and at least every 5 years in order to determine whether the original classification level is still appropriate.~~

Amendment 138 #

Proposal for a regulation
Article 38 – paragraph 1 – subparagraph 2

The operational details of emergency evacuation and destruction plans shall themselves be classified ~~as RESTREINT UE/EU RESTRICTED~~.

Amendment 139 #

Proposal for a regulation
Article 39 – paragraph 1

1. Union institutions and bodies shall decide whether and when to archive EUCI, and the corresponding uniform practical measures~~, in accordance with their policy on document management~~.

Amendment 140 #

Proposal for a regulation
Article 39 – paragraph 2

~~2. EUCI documents shall not be transferred to the Historical Archives of the European Union.~~deleted

Amendment 141 #

Proposal for a regulation
Article 39 a (new)

Article39a Disputes 1. In the event of any doubt as to the protected nature of information or its appropriate level of classification, the Union institutions and bodies shall consult each other without delay and before transmission of the information. In the event of a disagreement, the matter shall be referred to the Presidents of the Institutions or bodies so that they may resolve the dispute. 2. If, at the end of the procedure referred to in paragraph 1, no agreement has been reached, the refusal to revise the protected nature of information or its appropriate level of classification shall be subject to review of its legality in accordance with Article 263 TFEU.

Amendment 142 #

Proposal for a regulation
Article 40 – paragraph 1 – point c a (new)

(ca) monitoring compliance by Union institutions and bodies with the relevant provisions of this Regulation as well as with the guidance documents adopted by the Coordination Group.

Amendment 143 #

Proposal for a regulation
Article 41 – paragraph 1 – point b

(b) ~~key~~crucial security principles for the design of CIS handling and storing EUCI shall apply at the inception of the project, as part of the information security risk management process and taking into account need-to-know, minimal functionality, defence in depth, least privilege, segregation of duties and four eyes;

Amendment 144 #

Proposal for a regulation
Article 41 – paragraph 1 – point f a (new)

(fa) the system owner or the Information Assurance Operational Authority shall ensure that a process of identifying and reporting vulnerabilities is in place; that process shall be complemented by regular audits and penetration tests where appropriate.

Amendment 145 #

Proposal for a regulation
Article 42 – paragraph 1 a (new)

1a. For all information and material classified as EUCI a list of approved cryptographic products shall be maintained by the Council, on the basis of input from the National Security Authorities.

Amendment 146 #

Proposal for a regulation
Article 42 – paragraph 4 a (new)

4a. For information and material classified as RESTREINT UE/EU RESTRICTED a list of additional approved cryptographic products shall be established by ENISA/EU-CERT within 18 months following the publication of the regulation in the Official Journal of the European Union. The list should be reviewed in view of putting it up to date with technological and market developments every subsequent year.

Amendment 147 #

Proposal for a regulation
Article 42 – paragraph 5

5. The Coordination Group shall inform the Council on a yearly basis of any cryptographic products that it recommends for evaluation by a Crypto Authority Approval of a Member State, or ENISA/EU-CERT on the basis of a survey carried out in the Union institutions and bodies.

Amendment 148 #

Proposal for a regulation
Article 51 – paragraph 1

1. All Union institutions and bodies ~~may~~shall share EUCI with other Union institutions or bodies under the conditions set out in Article 54.

Amendment 149 #

Proposal for a regulation
Article 52 – paragraph 2

2. The sub-group on EUCI sharing and exchange of classified information shall be composed of representatives from the European Parliament, the Commission, the Council and the European External Action Service and shall work by consensus. That subgroup shall seek a fair balance between the need to protect EUCI and Regulation (EC) No 1049/2001, and shall ensure that the classification does not in itself prevent disclosure.

Amendment 150 #

Proposal for a regulation
Article 52 – paragraph 2

Amendment 151 #

Proposal for a regulation
Article 52 – paragraph 2

Amendment 152 #

Proposal for a regulation
Article 54 – paragraph 1 – point a

(a) there is a legal obligation under Union law or under an agreement concluded between Union institutions;or (a) there is a proven need for the exchange;

Amendment 153 #

Proposal for a regulation
Article 54 – paragraph 1 – point a a (new)

(aa) there is a legal obligation pursuant to the Treaties, secondary law or an Interinstitutional agreement concluded between Union institutions;

Amendment 154 #

Proposal for a regulation
Article 54 – paragraph 1 – point c

~~(c) the Security Authority of the Union institution or body concerned decides that it may share information classified up to a specified level with other such certified Union institutions and bodies.~~deleted

Amendment 155 #

Proposal for a regulation
Article 56 – paragraph 1 – point a

(a) the Union institution or body concerned needs to exchange, on a long- term basis information classified, as a general rule, no higher than ~~RESTREINT UE/EU RESTRICTED~~CONFIDENTIEL UE/EU CONFIDENTIAL with its counterpart in a third country or international organisation;

Amendment 156 #

Proposal for a regulation
Article 60 – paragraph 2

2. All Union institutions and bodies that have been assessed either by Commission or, European Parliament, Council or EEAS before the [dd/mm/yyyy date of applicability], as suitable to handle and store EUCI, shall be considered as meeting the conditions referred to in Article 19(1).

Amendment 157 #

Proposal for a regulation
Article 60 – paragraph 2

2. All Union institutions and bodies that have been assessed either by Parliament, Commission or, Council or EEAS before the [dd/mm/yyyy date of applicability], as suitable to handle and store EUCI, shall be considered as meeting the conditions referred to in Article 19(1).

Amendment 158 #

Proposal for a regulation
Article 61 – paragraph 1

1. By [dd/mm/yyyy 32 years after the date of application] at the latest, the Commission shall present a report on the implementation of this Regulation to the European Parliament and the Council.

Amendment 159 #

Proposal for a regulation
Article 61 – paragraph 2

2. No sooner than [53 years after the date of application] and every 5 years thereafter, the Commission shall carry out an evaluation of this Regulation and present a report on the main findings to the European Parliament and the Council.

Amendment 160 #

Proposal for a regulation
Annex I – point 1

1. Documents containing sensitive non-classified information must be marked using a security marking and, where relevant, one or more distribution marking or markings specifying the target audience as appropriate. The standard security marking shall be the word ‘~~SENSITIVE~~PROTECTED’ in upper case, except in cases referred to in Article 15(2).

Amendment 161 #

Proposal for a regulation
Annex I – point 4

4. Documents marked ~~SENSITIVE~~PROTECTED are downgraded to EU NORMAL or PUBLIC USE, through the removal or striking of the markings.

Amendment 162 #

Proposal for a regulation
Annex II – paragraph 1 – point 1

1) 1) ‘personnel Security Clearance’ or ‘PSC’ means a statement by ~~a relevant authority of a Member State~~the Commission which is made following completion of a security investigation conducted by the ~~competent authority~~Commission in cooperation with the competent authorities of the relevant Member States and which certifies that an individual may be granted access to EUCI up to a specified level (CONFIDENTIEL UE/EU CONFIDENTIAL or higher) and for a set period of time;

Amendment 163 #

Proposal for a regulation
Annex II – paragraph 1 – point 2

2) ‘personnel Security Clearance Certificate’ means a certificate issued by ~~a competent authority~~the Commission establishing that an individual holds a valid security clearance, or equivalent, or a security authorisation and that shows the level of EUCI to which that individual may be granted access (CONFIDENTIEL UE/EU CONFIDENTIAL or higher), the period of validity of the relevant security clearance or authorisation and the date of expiry of the certificate itself.

Amendment 164 #

Proposal for a regulation
Annex II – point 1

1. The Security Authority of the Union institution and body concerned must seek the written consent of the individual for the security clearance procedure before sending a completed security clearance questionnaire to the ~~National Security Authority of the Member State of nationality of the applicant~~Commission.

Amendment 165 #

Proposal for a regulation
Annex II – point 2

2. Where information relevant to a security investigation becomes known to a Union institution or body, concerning an individual who has applied for a security clearance for access to EUCI, the competent Security Authority, acting in accordance with this Regulation, must notify the ~~relevant National Security Authority~~Commission thereof.

Amendment 166 #

Proposal for a regulation
Annex II – point 3 – introductory part

3. Following notification of the ~~relevant National Security Authority~~Commission’s overall assessment of the findings of the security investigation, the competent Security Authority:

Amendment 167 #

Proposal for a regulation
Annex II – point 4

4. Where the individual starts service 12 months or more after the date of the notification of the result of the security investigation, or when there is a break of 12 months in the individual’s service, the competent Security Authority must seek confirmation from the ~~relevant National Security Authority~~Commission about the validity of the security clearance.

Amendment 168 #

Proposal for a regulation
Annex II – point 5

5. Where information concerning a security risk posed by an individual who has authorisation to access EUCI becomes known to the Union institution or body concerned, the Security Authority of that Union institution or body must notify the ~~relevant National Security Authority~~Commission thereof and may suspend the individual’s access to EUCI or withdraw authorisation to access EUCI.

Amendment 169 #

Proposal for a regulation
Annex II – point 6

6. Where ~~an National Security Authority~~the Commission notifies the relevant Union institution or body that there is no longer assurance for an individual who has access to EUCI, the Security Authority of the Union institution or body concerned must withdraw its security authorisation and exclude the individual from access to EUCI in accordance with its relevant internal rules.

Amendment 170 #

Proposal for a regulation
Annex II – point 8 – paragraph 1

The Security Authority of the Union institution and body concerned may extend the validity of an authorisation to access EUCI for a period of up to 12 months, where no adverse information has been received from the ~~relevant National Security Authority or other competent national authority~~Commission within a period of 2 months from the date of transmission of the request for renewal and the corresponding clearance questionnaire.

Amendment 171 #

Proposal for a regulation
Annex II – point 10

10. The Security Authority of the Union institution or body concerned may exceptionally grant temporary authorisation to access EUCI provided that the cCom~~petent National Security Authority~~mission has conducted a preliminary check, based on the completed and transmitted security questionnaire, to verify that no relevant adverse information is known.

Amendment 172 #

Proposal for a regulation
Annex II – point 13

13. All Union institutions and bodies must ensure that national experts seconded to them for a position requiring security clearance present, prior to taking up their assignment, a valid ~~Personnel Security Clearance or Personne~~national Ssecurity Cclearance ~~Certificate~~, according to national law and regulations, to the competent Security Authority. Provided that the requirements referred to in Article 23(1) are met, the Security Authority may then grant an authorisation to access EUCI up to the level equivalent to the one referred to in the national security clearance, with a maximum validity not longer than the duration of their assignment.

Amendment 173 #

Proposal for a regulation
Annex III – point 8

8. EUCI which is classified RESTREINT UE/EU RESTRICTED must be handled and stored in any of the following areas: (a) in a Secured Area; (b) in an Administrative Area provided the EUCI is protected from access by unauthorised individuals; (c) outside a Secured Area or Administrative Area provided the holder has undertaken to comply with compensatory measures decided by the Security Authority of each Union institution and body.deleted

Amendment 174 #

Proposal for a regulation
Annex III – point 9

9. EUCI which is classified RESTREINT UE/EU RESTRICTED must be stored in locked office furniture in an Administrative Area or a Secured Area. It may temporarily be stored outside an Administrative Area or a Secured Area provided the holder has undertaken to store the documents concerned in appropriate locked office furniture when they are not being read or discussed.deleted

Amendment 175 #

Proposal for a regulation
Annex III – point 10

10. Union institutions and bodies may handle and store RESTREINT UE/EU RESTRICTED information outside their sites provided the relevant information be protected appropriately. For such purpose, Union institutions and bodies must comply with the measures provided in point 8(c).deleted

Amendment 176 #

Proposal for a regulation
Annex IV – point 8

8. ~~RESTREINT UE/EU RESTRICTED information must be carried in at least one layer of opaque packaging, such as envelopes, opaque folders or a briefcase.~~ Information classified CONFIDENTIEL UE/EU CONFIDENTIAL or higher must be carried in two layers of opaque packaging.

Amendment 177 #

Proposal for a regulation
Annex IV – point 10

10. Commercial couriers may convey information classified ~~RESTREINT UE/EU RESTRICTED and~~ CONFIDENTIEL UE/EU CONFIDENTIAL within a Member State and from one Member State to another. Commercial couriers may deliver SECRET UE/EU SECRET information only within a Member State and provided that they are approved by the relevant National Security Authority. No EUCI at TRES SECRET UE/EU TOP SECRET level can be entrusted to a commercial courier.

Amendment 178 #

Proposal for a regulation
Annex V – point 18

18. Where Member States require an FSC or a Personnel Security Clearance for contracts, grant agreements or subcontracts at RESTREINT UE/EU RESTRICTED level under their national laws and regulations, the Union institutions and bodies, as contracting or granting authorities, must not use those national requirements to place additional obligations on other Member States or exclude tenderers, applicants, contractors, beneficiaries or subcontractors from Member States that have no such FSC or Personnel Security Clearance requirements for access to RESTREINT UE/EU RESTRICTED information from related contracts, grant agreements or subcontracts, or a competition for such.deleted

Amendment 179 #

Proposal for a regulation
Annex V – point 22

~~22. Visits involving access to information classified RESTREINT UE/EU RESTRICTED must be arranged directly between the sending and receiving entity.~~deleted

Amendment 180 #

Proposal for a regulation
Annex V – point 24

24. The security accreditation of contractors’ or beneficiaries’ CIS handling EUCI at RESTREINT UE/EU RESTRICTED level and any interconnection thereof may be delegated to the security officer of a contractor or beneficiary where allowed by national laws and regulations. Where the security accreditation task is delegated, the contractor or beneficiary must be responsible for implementing the security requirements described in the Security Aspects Letter when handling RESTREINT UE/EU RESTRICTED information in its CIS. The relevant National Security Authorities or National Security Authorities and SAAs retain responsibility for the protection of information classified RESTREINT UE/EU RESTRICTED handled or stored by the contractor or beneficiary and the right to inspect the security measures taken by the contractor or beneficiary. In addition, the contractor or beneficiary must provide the Union institution and body, as contracting or granting authority, and where required by national laws and regulations, the competent national SAA, with a statement of compliance certifying that the contractor or beneficiary CIS and related interconnections have been accredited for handling and storing EUCI at RESTREINT UE/EU RESTRICTED level.deleted

Amendment 181 #

Proposal for a regulation
Annex V – point 26

26. RESTREINT UE/EU RESTRICTED information may be hand carried by contractor or beneficiary personnel within the European Union, provided the following requirements are met: (a) the envelope or packaging used is opaque and bears no indication of the classification of its contents; (b) the bearer retains possession of the classified information at all times; (c) the envelope or packaging is not opened until it reaches its final destination.deleted

Amendment 34 #

Proposal for a regulation
Citation 1 a (new)

Having regard that for the effective exercise of their mandate in accordance with the Treaties, Members of Parliament shall have access to all types of information based on a need-to-know;

Amendment 35 #

Proposal for a regulation
Citation 1 b (new)

Having regard to the specificity of the mandate of Members of Parliament elected in EU Member States and to the separation of powers between the executive and legislative branches, and as a result, that Members shall be exempted from a security vetting procedure by national security authorities;

Amendment 36 #

Proposal for a regulation
Recital 1

~~(1)~~ Union institutions and bodies ~~(1)~~ currently have their own information security rules, based on their rules of procedure or their founding act, or do not have such rules at all. In that context, each Union institution and body invests significant efforts in adopting different approaches, leading to a situation where exchange of information is not always reliable or impregnable. The lack of a common approach hinders the deployment of common tools building on an agreed set of rules depending on the security needs of the information to be protected, as well as on the interoperability of such tools.

Amendment 37 #

Proposal for a regulation
Recital 1 a (new)

(1a) Given that Union institutions are obliged to apply Article 15(3) TFEU in line with democratic principles, in particular those laid down in Article 10(3) TEU and Article 42 of the Charter of Fundamental Rights of the European Union (‘the Charter’), the European Union classified information (‘EUCI’) system should adhere to the principles of data classification minimisation and time limitation for any such classification.

Amendment 38 #

Proposal for a regulation
Recital 1 a (new)

(1a) There are concerns surrounding the fact that the Commission and the European External Action Service (EEAS) are putting in place two concurrent initiatives to collaborate with private companies on cybersecurity threats.

Amendment 39 #

Proposal for a regulation
Recital 2

(2) While progress has been made towards more consistent rules for the protection of European Union classified information (‘EUCI’) and non-classified information, the interoperability of the relevant systems remains limited, preventing a seamless transfer of information between the different Union institutions and bodies. Interinstitutional cooperation and trust is key to protecting, in an efficient and effective manner, the Information security environment of the Union. Further efforts should therefore be made to enable an interinstitutional approach based on increased synergies to the sharing of EUCI and sensitive non- classified information, with common categories of information and common key handling principles. A baseline should also be envisaged to simplify procedures for sharing EUCI and sensitive non-classified information between Union institutions and bodies and with Member States.

Amendment 40 #

Proposal for a regulation
Recital 2

(2) While progress has been made towards more consistent rules for the protection of European Union classified information (‘EUCI’) and non-classified information, the interoperability of the relevant systems remains limited, preventing a seamless transfer of information between the different Union institutions and bodies. ~~Further efforts should therefore be made to enable a~~An interinstitutional approach to the sharing of EUCI and sensitive non-classified information should be set up, with common categories of information and common key handling principles. ~~A baseline should also be envisaged to simplify p~~Procedures for sharing EUCI and sensitive non-classified information between Union institutions and bodies and with Member States should be simplified.

Amendment 41 #

Proposal for a regulation
Recital 3

(3) Therefore, relevant rules ensuring a common level of information security in all Union institutions and bodies should be laid down, especially as the cybersecurity threats are growing and many national bodies have been attacked. They should constitute a comprehensive and coherent general framework for protecting EUCI and non- classified information, and should ensure equivalence of basic principles and minimum standards.

Amendment 42 #

Proposal for a regulation
Recital 3

(3) Therefore, relevant rules ensuring a common level of information security in all Union institutions and bodies should be laid down. They should constitute a comprehensive and coherent general framework for protecting EUCI and non- classified information, and should ensure equivalence of basic principles and common minimum standards.

Amendment 43 #

Proposal for a regulation
Recital 3 a (new)

(3a) This Regulation lays down rules applicable to the administration of the all Union institutions and bodies, but it does not include the Commissioners, the Representatives of Member States acting within the Council, the Members of the European Parliament, the Judges of the Union Courts or the Members of the European Court of Auditors who are subject to their internal rules.

Amendment 44 #

Proposal for a regulation
Recital 3 a (new)

(3a) Article 15 TFEU states that the Unions’ institutions, bodies, offices and agencies shall conduct their work as openly as possible, and that every citizen of the Union shall have a right of access to documents. Accordingly, every classification of documents shall take place in the light of these overarching principles.

Amendment 45 #

Proposal for a regulation
Recital 3 a (new)

(3a) Whereas the Treaties attribute powers to the different Union institutions. For these powers to be exercised effectively, Members thereof should have access by virtue of their mandate to all necessary information on the basis of a need-to-know.

Amendment 46 #

Proposal for a regulation
Recital 3 a (new)

(3a) Members of the Union institutions should have access by virtue of their mandate to all necessary information on the basis of the ‘need-to-know principle’ in order to exercise the powers vested to them by the Treaties.

Amendment 47 #

Proposal for a regulation
Recital 3 a (new)

(3a) EU governments should keep ownership of their sensitive information.

Amendment 48 #

Proposal for a regulation
Recital 3 b (new)

(3b) In order to ensure the effectiveness of this Regulation it would be appropriate to assess whether the internal rules applicable to Commissioners, the Representatives of Member States acting within the Council, the Members of the European Parliament, the Judges of the Union Courts or the Members of the European Court of Auditors are in line with the common minimum level of protection established by this Regulation and make the modifications needed, if this is not the case.

Amendment 49 #

Proposal for a regulation
Recital 3 b (new)

(3b) In the context of information security, Union institutions and bodies should increase organisational interoperability and take joint action to ensure that networks, information systems, data, and all material assets employed to capture, store, process and transmit the information are duly protected.

Amendment 50 #

Proposal for a regulation
Recital 3 c (new)

(3c) Access to information in a secure manner and in a context of mutual trust is essential for the European co-legislators to exercise their functions and not to be restricted in the exercise of their democratic functions; Members of the European Parliament exercise this legislative function and their access to information should therefore be governed by rules comparable in requirements to the common minimum standards established by this Regulation.

Amendment 51 #

(4) The recent pandemic ~~caused a significant change~~expedited the significant underlying transformation in working practices, with remote communication tools becoming the rule. Therefore, many procedures that were still at least partly paper-based were rapidly adjusted to enable electronic processing and exchanges of information. These developments require changes in the handling and protection of information. This Regulation takes account of the new working practices.

Amendment 52 #

Proposal for a regulation
Recital 5

(5) By creating a minimum common level of protection for EUCI and non- classified information, this Regulation contributes to ensuring that the Union institutions and bodies have the support of an efficient and independent administration in carrying out their missions. At the same time, each Union institution and body retains its autonomy in determining how to implement the rules laid down in this Regulation, in line with its own security needs. This Regulation shall in no case prevent Union institutions and bodies to fulfil their mission, as entrusted by the EU legislation, or encroach on their institutional autonomy. This minimum common level of protection for EUCI should ensure a careful balance between transparency and the use of classification in a way that prevents the EU bodies from carrying out their role.

Amendment 53 #

Proposal for a regulation
Recital 5

(5) By creating a minimum common level of protection for EUCI and non- classified information, this Regulation contributes to ensuring that the Union institutions and bodies have the support of an efficient and independent administration in carrying out their missions. At the same time, each Union institution and body retains its autonomy in determining how to implement the rules laid down in this Regulation, in line with its own security needs. This Regulation shall in no case prevent Union institutions and bodies to fulfil their mission, as entrusted by the EU legislation, or encroach on their institutional autonomy. Due account should also be taken that the measures do not negatively affect the Union entities’ efficient information exchange and operations with other Union entities and national competent authorities.

Amendment 54 #

Proposal for a regulation
Recital 5 a (new)

(5a) Sharing of EUCI in a transparent and timely manner is paramount for the proper functioning of Union institutions and bodies. When implementing this Regulation, Union institutions and bodies should strive to enhance transparency, minimise and limit in time the use of confidential documents, provide safeguards against the use of classification in a manner that would prevent Union entities from fulfilling their mission, and ensure that whistle-blowers are adequately protected and that there is a high level of protection of information in line with Union law and best practices.

Amendment 55 #

Proposal for a regulation
Recital 5 a (new)

(5a) This Regulation should ensure that any limitation of the right to the protection of personal data and privacy is necessary and proportionate and respect the essence of the right in accordance with Article 52(1) of the Charter of Fundamental Rights of the European Union.

Amendment 56 #

Proposal for a regulation
Recital 5 b (new)

(5b) All information security measures involving processing of personal data should be compliant with the relevant Union data protection and privacy law. Union institutions and bodies should provide relevant technical and organisational safeguards to ensure compliance in an accountable, transparent and justified manner.

Amendment 57 #

Proposal for a regulation
Recital 6 a (new)

(6a) Most of the information on cyberthreats relates to the vulnerabilities exploited, in other words the weaknesses hackers exploit to obtain unauthorised access. The European Union Agency for Cybersecurity (ENISA) may not have sufficient capacity to deal with the volume of reports received from product manufacturers about such vulnerabilities. Member States would prefer these notifications to be sent to the national computer security incident response teams (CSIRT).

Amendment 58 #

Proposal for a regulation
Recital 7 a (new)

(7a) In order to preserve the specific nature of the European Central Bank’s (ECB) tasks and activities as part of the European System of Central Banks (ESCB) and the Single Supervisory Mechanism (SSM), which are performed in cooperation with the national central banks and national competent authorities, this Regulation should not apply to ESCB and SSM Information.

Amendment 59 #

Proposal for a regulation
Recital 8

(8) With a view to establishing a formal common and uniform structure for cooperation between Union institutions and bodies in the field of information security, it is necessary to set up an Interinstitutional Coordination Group (the ‘Coordination Group’) in which all Union institutions’ and bodies’ Security Authorities are represented. Without having decision- making powers, the Cordination Group should enhance the coherence of policies in the field of information security and should contribute to the harmonisation of the information security procedures and tools across the Union institutions and bodies.

Amendment 60 #

Proposal for a regulation
Recital 9

(9) The Coordination Group’s work needs the support of experts in different areas of information security: categorisation and marking, communication and information systems, accreditation, physical security and sharing EUCI and exchanging classified information. In order to reduce administrative burden and prevent duplication of effort across the Union institutions and bodies, thematic sub- groups should be therefore established. Moreover, where needed, the Coordination Group should be able to set up other subgroups with specific tasks.

Amendment 61 #

Proposal for a regulation
Recital 10

(10) The Coordination Group should closely cooperate with the National Security Authorities of the Member States with a view to enhancing information security in the Union. An Information Security Committee of the Member States should therefore be set up to provide advice to the Coordination Group, while respecting the prerogatives of the Member States as regards confidential security data.

Amendment 62 #

Proposal for a regulation
Recital 10

(10) The Coordination Group should closely cooperate with the ~~National Security~~Classification Authorit~~ies~~y of the Member States with a view to enhancing information security in the Union. An Information Security Committee of the Member States should therefore be set up to provide advice to the Coordination Group.

Amendment 63 #

Proposal for a regulation
Recital 12

(12) The principle of information security risk management should be at the core of the policy to be developed in the field by each Union institution and body. While the common minimum requirements laid down in this Regulation must be met, each Union institution and body should adopt specific security measures for protecting information in accordance with the results of an internal risk assessment. In the same way, the technical means to protect the information should be adapted to the ~~specific situation~~needs and specificities of each institution and body.

Amendment 64 #

Proposal for a regulation
Recital 13

(13) Given the diversity of categories of non-classified information that the Union institutions and bodies have developed based on their own security information rules and in order to avoid delay in the implementation of this Regulation, Union institutions or bodies should be able to maintain their own marking system for internal purposes or in the exchange of information with their particular counterparts from other institutions and bodies or from the Member States.deleted

Amendment 65 #

Proposal for a regulation
Recital 14

(14) With the purpose of adjusting to the new teleworking practices, the network information systems, digital infrastructure, and terminal devices used for connecting to the Union institution’s or body’s remote access services should be protected by ~~adequate~~state of the art security measures.

Amendment 66 #

Proposal for a regulation
Recital 14

Amendment 67 #

Proposal for a regulation
Recital 15

(15) Since Union institutions and bodies frequently make use of contractors and outsourcing, it is important to establish common provisions relating to contractors’ personnel carrying out tasks related to information security. Such provisions should include, inter alia, a requirement in the tender procedures to undergo thorough vetting, taking into account the full range of the supply chain and economic and political environment in which the third parties operate. Where the relationships with third parties pose a risk to the integrity of democratic processes in the EU, they should be terminated without undue delay.

Amendment 68 #

Proposal for a regulation
Recital 15

Amendment 69 #

Proposal for a regulation
Recital 16

(16) The substantive rules regarding access to EUCI in the internal rules of various Union institutions and bodies are currently aligned, but there are significant differences as regards denominations and required procedures. ~~This creates a burden for the National Security Authorities of the Member States who need to adjust to different requirements.~~ Thus it is necessary to provide for a common glossary and common procedures in the area of personnel security, thereby ~~simplifying cooperation with the National Security Authorities of the Member States and~~ limiting the risk of compromising EUCI.

Amendment 70 #

Proposal for a regulation
Recital 18

(18) The protection of EUCI is also ensured by technical and organisational measures which apply to the premises, buildings, rooms, offices or facilities of the Union institutions and bodies where EUCI is discussed, handled or stored. This Regulation provides for the implementation of an information security management process in the area of physical security which would allow Union institutions and bodies to select the appropriate security measures for their sites. A thorough evaluation of security infrastructure, including services, should be carried out, encompassing all aspects of the operational chain and environment.

Amendment 71 #

Proposal for a regulation
Recital 20

(20) Originator control is a~~n important~~ principle in the EUCI management, therefore it needs to be ~~clearly stipulated and developed~~taken into account. In that regard, the creation of EUCI confers to the originator a responsibility ~~which should cover the entir~~at the beginning of the life cycle of the relevant EUCI document.

Amendment 72 #

Proposal for a regulation
Recital 21

(21) Union institutions and bodies have been traditionally developed their communication and information systems autonomously, with insufficient attention to their interoperability across all Union institutions and bodies. It is therefore necessary to establish minimum security requirements concerning the Communication and Information Systems (CISs) handling ~~and stor~~, storing, and transmitting both EUCI and non-classified information with the aim to guarantee a seamless exchange of information with the relevant stakeholders.

Amendment 73 #

Proposal for a regulation
Recital 21 a (new)

(21a) Information held by the Union entities is also exchanged through the ICT environment, on-premises or through virtual assets, ICT products, ICT services and ICT processes, as well as networks and information systems whether owned and operated by a Union entity or hosted or operated by a third party, including mobile devices, corporate networks, and business networks not connected to the internet and any devices connected to the ICT environment.

Amendment 74 #

Proposal for a regulation
Article 1 – paragraph 1

1. This Regulation lays down a minimum set of common and uniform information security rules for all Union institutions and bodies.

Amendment 75 #

Proposal for a regulation
Article 1 – paragraph 1

1. This Regulation lays down common minimum information security rules for all Union institutions and bodies.

Amendment 76 #

Proposal for a regulation
Article 1 – paragraph 1 a (new)

1a. This Regulation is without prejudice to Regulation (EC) 1049/2001 of the European Parliament and of the Council. Nothing in this Regulation, in particular the provisions on EUCI, may be used to restrict the right of access to documents of the Union institutions, bodies, offices and agencies beyond the applicable legislation on such access.

Amendment 77 #

Proposal for a regulation
Article 2 – paragraph 1

1. This Regulation shall apply to all information handled and stored by the Union institutions and bodies, including information related to activities of the European Atomic Energy Community, other than Euratom Classified Information, and excluding information related to the ECB’s tasks and activities within the ESCB and the SSM.

Amendment 78 #

Proposal for a regulation
Article 2 – paragraph 1 a (new)

1a. This Regulation is without prejudice to Regulation (Euratom) No 3/1958[1], Regulation No 31 (EEC), 11 (EAEC), laying down the Staff Regulations of Officials and the Conditions of Employment of other servants of the European Economic Community and the European Atomic Energy Community[2], Regulation (EC) 1049/2001 of the European Parliament and of the Council[3], Regulation (EU) 2018/1725 of the European Parliament and of the Council[4], Council Regulation (EEC, EURATOM) No 354/83[5], Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council[6], Regulation (EU) 2021/697 of the European Parliament and of the Council[7], Regulation (EU) [...] of the European Parliament and of the Council[8] laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union.[KL1] [1] Regulation (Euratom) No 3/1958 implementing Article 24 of the Treaty establishing the European Atomic Energy Community (OJ 17, 6.10.1958, p. 406). [2] OJ 45, 14.6.1962, p. 1385. [3] Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43). [4] Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39). [5] Council Regulation (EEC, EURATOM) No 354/83 of 1 February 1983 concerning the opening to the public of the historical archives of the European Economic Community and the European Atomic Energy Community (OJ L 43, 15.2.1983, p. 1). [6] Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (OJ L 193, 30.7.2018, p. 1). [7] Regulation (EU) 2021/697 of the European Parliament and of the Council of 29 April 2021 establishing the European Defence Fund and repealing Regulation (EU) 2018/1092 (OJ L 170, 12.5.2021, p. 149). [8] Regulation […] of the European Parliament and of the Council laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union.

Amendment 79 #

Proposal for a regulation
Article 2 – paragraph 1 a (new)

1a. This Regulation does not apply to the Commissioners, the Representatives of Member States acting within the Council, the Members of the European Parliament, the Judges of the Union Courts or the Members of the European Court of Auditors. In order to ensure the effectiveness of the Regulation and not to create any gap within the information security system or any discrepancies among people within the same institution, this institutions and bodies shall adopt internal rules aligned with this Regulation.

Amendment 80 #

Proposal for a regulation
Article 2 – paragraph 2 – point a

(a) three levels of non-classified information: public use, normal and ~~sensitive~~protected non-classified; (This amendment applies throughout the text. Adopting it will necessitate corresponding changes throughout.)

Amendment 81 #

Proposal for a regulation
Article 2 – paragraph 2 – point b

(b) ~~four~~three levels of EU classified information: ~~RESTREINT UE/EU RESTRICTED,~~ CONFIDENTIEL UE/EU CONFIDENTIAL, SECRET UE/EU SECRET, TRES SECRET UE/EU TOP SECRET. (This amendment applies throughout the text. Adopting it will necessitate corresponding changes throughout.)

Amendment 82 #

Proposal for a regulation
Article 2 – paragraph 3

3. These levels are based on the damage that unauthorised disclosure may cause to the legitimate ~~private and~~ public interests, including those of the Union, Union institutions and bodies and Member States or other stakeholders, so that the appropriate protective measures can be applied.

Amendment 83 #

Proposal for a regulation
Article 4 – paragraph 1 a (new)

1a. Members of the Union Institutions shall have access to all types of information on the basis of a need-to- know for the effective exercise of their mandate in accordance with the Treaties.

Amendment 84 #

Proposal for a regulation
Article 4 – paragraph 2

2. Non-compliance with this Regulation, in particular the unauthorised disclosure of information with the confidentiality levels referred to in Article 2(2), except information for public use shall be subject to investigation and may trigger personnel liability in accordance with the Treaties or with their relevant staff rules with due regard to the provisions on the disclosure of facts which give rise to a presumption of the existence of possible illegal activity, including fraud or corruption, detrimental to the interests of the Union, or of conduct relating to the discharge of professional duties which may constitute a serious failure to comply with the professional obligations, as well as the protection of persons who report breaches of Union law.

Amendment 85 #

Proposal for a regulation
Article 4 – paragraph 3

3. Whithout prejudice to Article 15 TFEU, Union institutions and bodies shall assess all information they handle and store in order to categorise it in accordance with the confidentiality levels referred to in Article 2(2).

Amendment 86 #

Proposal for a regulation
Article 4 – paragraph 4 – point d

(d) integrity: the fact that the information is complete and completeness of information is unaltered and the fact that the technical infrastructure used to share information is protected from any foreign interference;

Amendment 87 #

Proposal for a regulation
Article 4 – paragraph 6 – subparagraph 2

Union institutions and bodies handling and storing EUCI shall organise mandatory training at least once every 5 years for all individuals authorised to access EUCI. The Union institutions and bodies concerned shall organise specific training for the specific functions entrusted with information security tasks. Union entities shall, not later than six months after the date of entry into force of this Regulation, design and implement effective and appropriate training courses for all individuals authorised to access EUCI, commensurate to the risks identified in accordance with Article 5.

Amendment 88 #

Proposal for a regulation
Article 5 – paragraph 3 – point a a (new)

(aa) the risks to the rights and freedoms of natural persons;

Amendment 89 #

Proposal for a regulation
Article 5 – paragraph 3 – point f

(f) business continuity, crisis management and disaster recovery;

Amendment 90 #

Proposal for a regulation
Article 6 – paragraph 1 – subparagraph 2 a (new)

The appointed members of the Coordination Group shall be adequately gender and geographically balanced.

Amendment 91 #

Proposal for a regulation
Article 6 – paragraph 2 – point a a (new)

(aa) adopt decisions on the establishment of thematic sub-groups, their terms of reference and the regularity of their meetings;

Amendment 92 #

Proposal for a regulation
Article 6 – paragraph 2 – point e a (new)

(ea) monitor compliance by Union institutions and bodies with this Regulation as well as with the guidance documents established pursuant to point (c) through the adoption of a yearly evaluation report, which shall compile input from the relevant sub-groups.

Amendment 93 #

Proposal for a regulation
Article 6 – paragraph 2 – point e a (new)

(ea) monitor compliance by Union institutions and bodies with this Regulation, as well as with the guidance documents established pursuant to point (c) through the adoption of a yearly evaluation report;

Amendment 94 #

Proposal for a regulation
Article 6 – paragraph 6

6. Each Union institution or body shall be appropriately represented in the Coordination Group ~~and where applicable, in the thematic sub-groups~~. The Parliament, the Commission and the Council shall be represented in all thematic sub-groups. Other institutions and bodies where applicable.

Amendment 95 #

Proposal for a regulation
Article 6 – paragraph 7

7. Union institutions and bodies shall bring to the attention of the Coordination Group any significant information security policy development within their organisation without undue delay.

Amendment 96 #

Proposal for a regulation
Article 6 – paragraph 8

8. In the performance of the tasks referred to in paragraph 2, point (e), the Coordination Group shall be assisted by an Information Security Committee. That Committee shall be composed of one representative from each National Security Authority and shall be chaired by the Secretariat of the Coordination Group, referred to in paragraph 5. A representative of the Parliament shall attend as observer. The Information Security Committee shall have an advisory role.

Amendment 97 #

Proposal for a regulation
Article 7 – paragraph 1 – point e a (new)

(ea) a sub-group on administrative arrangements with third countries and international organisations.

Amendment 98 #

Proposal for a regulation
Article 8 – paragraph 1

1. Each Union institution and body shall designate a Security Authority to assume the responsibilities assigned by this Regulation and~~, where applicable, by its internal security rules~~ monitor and ensure compliance by each Union institution or body concerned with the guidance documents adopted by the Coordination Group. In performing its tasks, each Security Authority shall have the support of the department or officer entrusted with Information Security tasks.

Amendment 99 #